[Samba] Rights issue on GPO

L.P.H. van Belle belle at bazuin.nl
Wed Jun 22 13:27:24 UTC 2016 

And what i dont see,, what is your "current" smb.conf ? 

Greetz. 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> lingpanda101 at gmail.com
> Verzonden: woensdag 22 juni 2016 15:09
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Rights issue on GPO
> 
> On 6/22/2016 8:51 AM, Rowland penny wrote:
> > On 22/06/16 13:44, lingpanda101 at gmail.com wrote:
> >> On 6/22/2016 8:19 AM, L.P.H. van Belle wrote:
> >>> And dont forget :
> >>> https://wiki.samba.org/index.php/Idmap_config_ad
> >>>
> >>> I also noticed and incorrect mapping, which "looks" like rights
> >>> issues like in the thead here. ( it is imo not a right issue.. )
> >>> read on..
> >>>
> >>> NTDOMAIN\enterprise read-only domain controllers:x:3000202:
> >>> NTDOMAIN\domain admins:x:10001:NTDOMAIN\administrator
> >>> NTDOMAIN\domain users:x:10000:
> >>> NTDOMAIN\domain guests:x:10002:
> >>> NTDOMAIN\domain computers:x:10006:
> >>> NTDOMAIN\domain controllers:x:3000018:
> >>> NTDOMAIN\read-only domain controllers:x:3000203:
> >>>
> >>> Is conflicting with
> >>> BUILTIN\administrators:x:3000000:
> >>> BUILTIN\users:x:3000009:
> >>> BUILTIN\guests:x:3000015:
> >>> BUILTIN\account operators:x:3000185:
> >>> BUILTIN\server operators:x:3000001:
> >>>
> >>> Which results in some incorrect mappings.
> >>>
> >>> But if you add :     acl_xattr:ignore system acls = yes  to the
> >>> Sysvol share.
> >>>   !!  AND your using the DC's only as DC's. !!
> >>>
> >>> Then this incorrect mapping can be ignored, at least im ignoring it,
> >>> since very thing is tested and works fine.
> >>>
> >>> But im thinking of settings a separated range for the BUILDIN
> >>>
> >>> A setup something like :
> >>>
> >>>          idmap_ldb:use rfc2307 = yes
> >>>
> >>>          ## map id's outside to domain to tdb files.
> >>>          ## use for local (linux only ) users
> >>>          idmap config * : backend = tdb
> >>>          idmap config * : range = 2000-9999
> >>>
> >>>          ## map ids from the domain and (*) the range may not overlap
> !
> >>>          ## the NTDOMAIN range id mappings
> >>>          idmap config NTDOMAIN : backend = ad
> >>>          idmap config NTDOMAIN : schema_mode = rfc2307
> >>>          idmap config NTDOMAIN : range = 10000-2999999
> >>>
> >>>       ## map ids from BUILDIN ( LOCAL SYSTEM )
> >>>       ##
> >>>          idmap config BUILDIN : backend = ad
> >>>          idmap config BUILDIN : schema_mode = rfc2307
> >>>          idmap config BUILDIN : range = 3000000-3999999
> >>>
> >>> Sometimes, and if you see from within windows security rights like :
> >>> NTDOMAIN\administrators
> >>> Which should be
> >>> BUILDIN\administrators
> >>>
> >>> Anyone any suggestion about setting an extra BUILDIN range for the
> >>> Local Computer/System.
> >>>
> >>>
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj
> >>>> Verzonden: woensdag 22 juni 2016 13:59
> >>>> Aan: samba at lists.samba.org
> >>>> Onderwerp: Re: [Samba] Rights issue on GPO
> >>>>
> >>>>
> >>>>
> >>>> On 06/22/2016 01:44 PM, mj wrote:
> >>>>> And then perhaps we also need to set the idmap ranges on the DCs? I
> >>>>> thought they were only for the domain member servers...
> >>>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
> >>>>
> >>>> :-)
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> >>>
> >>
> >> Why is is when I do a getfacl I do not see the mapping of BUILTIN
> >> like others?
> >>
> >> getfacl: Removing leading '/' from absolute path names
> >> # file: usr/local/samba/var/locks/sysvol/
> >> # owner: root
> >> # group: 3000000
> >> user::rwx
> >> user:root:rwx
> >> user:3000000:rwx
> >> user:3000001:r-x
> >> user:3000002:rwx
> >> user:3000003:r-x
> >> group::rwx
> >> group:3000000:rwx
> >> group:3000001:r-x
> >> group:3000002:rwx
> >> group:3000003:r-x
> >> mask::rwx
> >> other::---
> >> default:user::rwx
> >> default:user:root:rwx
> >> default:user:3000000:rwx
> >> default:user:3000001:r-x
> >> default:user:3000002:rwx
> >> default:user:3000003:r-x
> >> default:group::---
> >> default:group:3000000:rwx
> >> default:group:3000001:r-x
> >> default:group:3000002:rwx
> >> default:group:3000003:r-x
> >> default:mask::rwx
> >> default:other::---
> >>
> >
> > What version of Samba is this ?
> >
> > Rowland
> >
> >
> 
> samba -V
> Version 4.4.4
> 
> 
> --
> -James
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list